PIX inspection question

I have been told the PIX isnt able to do stateful inspection on packets before passing them to the internal interface when terminating an IPSec VPN. I have also heard the packets are decrypted first then statefully inspected before being handed to the internal interface.

Re: PIX inspection question

Both the statements are true. It depends on where your tunnel is terminating. Normally when the tunnel terminates on the outside interface, packet is decrypted -> stateful inspection is done. If the tunnel is terminated on the internal interface using the sysopt ipsec pl-compatible command then stateful inspection of the decrypted packet is not done. That is why it is suggested to use the nat 0 command instead of the sysopt ipsec pl-compatible. Hope this helps

Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...
view more